diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-24 11:25:47 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 11:53:15 +0100 |
| commit | 41e597a01d95540f52e8bc4d69f88c3d93a093ce (patch) | |
| tree | 5ae2b3b3691b635e55d704f8874bacfce6c34911 /test | |
| parent | ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (diff) | |
Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert
Also clean up some related auxiliary functions and documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/25-test_req.t | 25 | ||||
| -rw-r--r-- | test/recipes/tconversion.pl | 32 |
2 files changed, 43 insertions, 14 deletions
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index cb9f8888a5..7f699c065d 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,9 +15,9 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 39; +plan tests => 38; -require_ok(srctop_file('test','recipes','tconversion.pl')); +require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); my @certs = qw(test certs); @@ -259,7 +259,7 @@ sub generate_cert { my $cn = $is_ca ? "CA" : "EE"; my $ca_key = srctop_file(@certs, "ca-key.pem"); my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); - my @cmd = ("openssl", "req", "-config", "\"\"","-x509", + my @cmd = ("openssl", "req", "-config", "\"\"", "-x509", "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert); push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; ok(run(app([@cmd])), "generate $cert"); @@ -286,10 +286,10 @@ sub strict_verify { my @v3_ca = ("-addext", "basicConstraints = critical,CA:true", "-addext", "keyUsage = keyCertSign"); +my $SKID_AKID = "subjectKeyIdentifier,authorityKeyIdentifier"; my $cert = "self-signed_v1_CA_no_KIDs.pem"; generate_cert($cert); -has_SKID($ca_cert, 0); -has_AKID($ca_cert, 0); +cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID #TODO strict_verify($cert, 1); # self-signed v1 root cert should be accepted as CA $ca_cert = "self-signed_v3_CA_default_SKID.pem"; @@ -300,15 +300,13 @@ strict_verify($ca_cert, 1); $cert = "self-signed_v3_CA_no_SKID.pem"; generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = none"); -has_SKID($cert, 0); -has_AKID($cert, 0); +cert_ext_has_n_different_lines($cert, 0, $SKID_AKID); # no SKID and no AKID #TODO strict_verify($cert, 0); $cert = "self-signed_v3_CA_both_KIDs.pem"; generate_cert($cert, @v3_ca, "-addext", "subjectKeyIdentifier = hash", "-addext", "authorityKeyIdentifier = keyid"); -has_SKID($cert, 1); -has_AKID($cert, 1); +cert_ext_has_n_different_lines($cert, 3, $SKID_AKID); # SKID == AKID strict_verify($cert, 1); $cert = "self-signed_v3_EE_wrong_keyUsage.pem"; @@ -317,8 +315,7 @@ generate_cert($cert, "-addext", "keyUsage = keyCertSign"); $cert = "v3_EE_default_KIDs.pem"; generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); -has_SKID($cert, 1); -has_AKID($cert, 1); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1, $ca_cert); $cert = "v3_EE_no_AKID.pem"; @@ -326,3 +323,9 @@ generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); has_SKID($cert, 1); has_AKID($cert, 0); strict_verify($cert, 0, $ca_cert); + +$cert = "self-issued_v3_EE_default_KIDs.pem"; +generate_cert($cert, "-addext", "keyUsage = dataEncipherment", + "-in", srctop_file(@certs, "x509-check.csr")); +cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID +strict_verify($cert, 1); diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index bf096994e3..6ae5cf17ea 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -111,8 +111,8 @@ sub cmp_text { sub file_contains { $_ = shift @_; my $pattern = shift @_; - open(DATA,$_) or return 0; - $_= join('',<DATA>); + open(DATA, $_) or return 0; + $_= join('', <DATA>); close(DATA); return m/$pattern/ ? 1 : 0; } @@ -122,11 +122,37 @@ sub cert_contains { my $pattern = shift @_; my $expected = shift @_; my $name = shift @_; - my $out = "tmp.out"; + my $out = "cert_contains.out"; run(app(["openssl", "x509", "-noout", "-text", "-in", $cert, "-out", $out])); is(file_contains($out, $pattern), $expected, ($name ? "$name: " : ""). "$cert should ".($expected ? "" : "not ")."contain $pattern"); # not unlinking $out } +sub uniq (@) { + my %seen = (); + grep { not $seen{$_}++ } @_; +} + +sub file_n_different_lines { + my $filename = shift @_; + open(DATA, $filename) or return 0; + chomp(my @lines = <DATA>); + close(DATA); + return scalar(uniq @lines); +} + +sub cert_ext_has_n_different_lines { + my $cert = shift @_; + my $expected = shift @_; + my $exts = shift @_; + my $name = shift @_; + my $out = "cert_n_different_exts.out"; + run(app(["openssl", "x509", "-noout", "-ext", $exts, + "-in", $cert, "-out", $out])); + is(file_n_different_lines($out), $expected, ($name ? "$name: " : ""). + "$cert '$exts' output should contain $expected different lines"); + # not unlinking $out +} + 1; |